Chapter 24 - Registry Editor and Registry Administration

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Windows NT 4.0 includes two tools for viewing and editing the Registry, both called Registry Editor. The traditional tool, Regedt32.exe, is featured in this chapter. The new tool, Regedit.exe, written for Windows 95, has many of the same functions as Regedt32 and uses the Windows NT Explorer interface. Both tools are installed automatically when you install Windows NT on any computer.

You can use either Registry editor to add, delete, or modify Registry entries. This chapter describes the Registry editors and how to use them, with an emphasis on protecting the Registry contents and using Registry editors to monitor and maintain the system configuration on remote computers.

The following topics are included in this chapter:

Using Registry editors and Windows NT Diagnostics (Winmsd.exe)

Viewing the Registry of a remote computer

Editing Registry value entries

Maintaining the Registry

It is recommended that, wherever possible, you make changes to the system configuration by using Control Panel or the applications in the Administrative Tools (Common) group.

Caution You can impair or disable Windows NT with incorrect changes or accidental deletions if you (or other users) use Registry Editor to change the system configuration. Wherever possible, you should use the Control Panel, Windows NT Diagnostics, and Administrative Tools in Windows NT to change the Registry. Registry Editor should be used only as a last resort.

To protect the system configuration, administrators can restrict users' access to the Registry, as described in "Maintaining Registry Security," later in this chapter.

Using Registry Editors and Windows NT Diagnostics

The Registry editors, Regedt32 and Regedit, do not appear in any menus or as icons in any window. However, they are installed automatically when you install Windows NT.

To run a Registry editor

Start Regedt32.exe or Regedit.exe from Windows NT Explorer.

– Or –

Click Start, point to Run, then type Regedt32 or Regedit in the Run dialog box.

– Or –

Type Regedt32 or Regedit at the command prompt, and press ENTER.

Regedt32 has a read-only mode that protects the Registry contents from unintentional changes while you explore its structure and become familiar with the entries. From the Options menu in Regedt32, click Read Only Mode.

Click any folder icon to display the contents of that key.

Working in the Registry Editor Windows

You can use the mouse or commands to manipulate the windows and panes in a Registry editor. For example:

Double-click a folder or key name to expand or collapse that entry. Or, use commands on the View and Tree menus to control the display of a selected key and its data.

Use the mouse or the arrow keys to move the vertical split bar in each window to control the size of the left and right panes.

From the Window menu, click Tile or Cascade to arrange the Registry Editor windows.

From the Options menu in Regedt32 click Auto Refresh to update the display continuously, or update it manually by clicking Refresh All or Refresh Active on the View menu. Regedit does not have an automatic refresh feature. To update the display when you are using Regedit, from the View menu, click Refresh or press F5.

Tip Turning off Auto Refresh in Regedt32 improves its performance.

To search for keys and subkeys, value entries, and values in Regedit, use the Find command on the Edit menu. You search for a key or subkey by using the Find Key command on the View menu in Regedt32, but you cannot search for value entries or values.

Table 24.1 shows some methods of using the keyboard to display data in each of the Registry Editor windows.

Procedure

Keyboard action

Expand one level of a selected Registry key.

Press ENTER.

Expand all of the levels of the predefined handle in the active Registry window.

Press CTRL + *.

Expand a branch of a selected Registry key.

Press the asterisk (*) key on the numeric keypad.

Collapse a branch of a selected Registry key.

Press ENTER or the minus (–) sign on the numeric keypad.

For more information about Regedt32 and Regedit, click Help Topics on the Help menu of either application.

Using Windows NT Diagnostics to View System Configuration Data

You can also use the Windows NT Diagnostics tool to view configuration data in the Registry. Windows NT Diagnostics (Winmsdp.exe) is installed in the Administrative Tools (Common) group on the Start menu and in Windows NT Explorer in the Systemroot\System32 directory when you set up Windows NT.

When you want to browse for system information, Windows NT Diagnostics is the best tool to choose. Figure 24.1 shows the Windows NT Diagnostics dialog box.

Figure 24.1 The Windows NT Diagnostics dialog box

In the Windows NT Diagnostics dialog box, click a tab to display data from the Registry in an easily readable format.

Tip You cannot edit value entries by using Windows NT Diagnostics, so the Registry contents are protected while you browse for information. However, you can select and copy any value if you want to paste information by using Registry Editor or a text editor.

Viewing the Registry of a Remote Computer

In the same way that you can use Event Viewer or User Manager to view details of another computer, you can use Registry Editor to view and change the contents of another computer's Registry if the Server service on the remote computer is running.

The ability to view a computer's configuration remotely means that the system administrator can examine a user's startup parameters, desktop configuration, and other parameters. So you, as the administrator, can provide troubleshooting or other support assistance over the telephone while you view settings on the other computer from your own workstation.

To view the Registry of a remote computer with Regedt32

From the Registry menu, click Select Computer, then type the name of the computer whose Registry you want to access, or double-click a name from the Select Computer list. If you are running Windows NT Server, the first name in this list represents the name of a domain. If no computer name appears after this domain name, double-click the domain name to view a list of the computers in that domain.

Note In Regedt32, Auto Refresh is not available when you are viewing the Registry from a remote computer. To update the display, use the Refresh All and Refresh Active commands on the View menu.

Two Registry windows appear in Regedt32 for the remote computer, one for HKEY_USERS and one for HKEY_LOCAL_MACHINE. You can view or modify the information on keys for the remote computer if the access controls defined for the keys allow you to perform such operations. If you are logged on as a member of the Administrators group, you can perform actions on all keys.

To disconnect from the Registry of a remote computer by using Regedt32, from the Registry menu, click Close for each subtree window.

To view the Registry of a remote computer by using Regedit

From the Registry menu, click Connect Network Registry, then type the name of the computer whose Registry you want to access, or click Browse to select a computer name from the network list.

An icon representing the remote computer appears in the Regedit window. Click the plus sign (+) to view the contents of the Registry. To disconnect from the Registry of a remote computer by using Regedit, from the Registry menu, click Disconnect Network Registry, click the name of the computer from which you are disconnecting, then click OK.

Loading Hives from a Remote Computer

An alternative to viewing another computer's Registry remotely is to save copies of the other computer's Registry hives and then load them into Regedt32 on your computer. You can use this method to view and change the keys and subkeys of the HKEY_LOCAL_MACHINE and HKEY_USERS hives of another computer's Registry. This enables you to investigate and repair the Registry values and value entries of a computer that is not configured properly or cannot connect to the network.

The subtrees of your computer's Registry are loaded automatically when you start the computer, and you can view its contents in a Registry editor. To view or change the contents of another computer's Registry, you must load a saved copy of all or part of its hive.

You might load the hive of another computer's Registry for the following reasons:

To view or repair a hive on a computer that temporarily cannot run Windows NT. For details, see "Backing Up and Restoring Registry Hives," later in this chapter.

To view or repair the profiles of users who aren't currently logged on to a computer. For details and examples, see "Managing User Profiles Through the Registry" in Chapter 25, "Configuration Management and the Registry."

To view or repair a hive of a computer that is not connected to the network. Save a copy of its hive on a floppy disk, then load it into Regedt32 on another computer.

To create a custom version of the LastKnownGood control set and other startup controls. For details and examples, see "Making Sure the System Always Starts" in Chapter 25, "Configuration Management and the Registry."

Please note the following rules when loading a hive from another computer's Registry by using Regedt32:

Before you can load a hive, you must save it as a file by using the Save Key command in Regedt32 (described later in this chapter). You can also load another computer's system hive files—those that Windows NT creates for its own use—but only while Windows NT is not running on that computer. By default, the system's hive files are stored in Systemroot\System32\Config and Systemroot\Profiles.

You can load only the keys and subkeys of HKEY_LOCAL_MACHINE and HKEY_USERS. Also, you can neither save nor load keys and subkeys that are volatile, that is, those that are created each time the system starts and deleted when the system stops. (You can save nonvolatile keys in volatile hives. For example, although the HKEY_LOCAL_MACHINE \Hardware key is volatile, you can save nonvolatile subkeys under that key.)

To load or unload a hive, you must log on to the computer as Administrator or as a member of the Administrator group, and you must have Restore and Backup permissions.

The Load Hive command is enabled only when the HKEY_USERS or HKEY_LOCAL_MACHINE subtree is selected in Regedt32. The Unload Hive command is enabled only when the root (highest key) of a loaded hive is selected.

Note Versions of Windows NT previous to version 4.0 did not allow you to load hive files that had filename extensions. This restriction does not apply to Windows NT 4.0.

If you are unable to connect to another computer over the network, you can load a hive file from a floppy disk.

To load a hive file into Regedt32

In Regedt32, click the HKEY_LOCAL_MACHINE or HKEY_USERS subtree window.

From the Registry menu, click Load Hive. The Load Hive dialog box appears. This is a Windows NT Explorer dialog box that lists the drives of the local computer and represents all computers connected to the local computer.

Locate the saved hive file and double-click its entry.

Note When locating a hive file on a remote computer, use a path relative to the remote computer, not to the local computer. For example, if you are using your G: drive to connect to \\Text01\Public to save Hive.tst, enter \\Text01\Public\Hive.tst, not G:\Hive.tst. The G:\Hive.tst entry directs Regedt32 to look for the file on the G: drive of the remote computer, not the G: drive of the local computer.

In the second Load Hive dialog box, type the name you want to use for the key where the hive will be loaded, then click OK.

This names a new subkey in the selected subtree. You can specify any name that is not being used for another file or another key in the Registry.

Data from the loaded hive appears as a new subkey in the subtree selected when you loaded the hive file. A loaded hive remains in the system until you unload it.

The Load Hive command creates a new hive in the memory space of the Registry and uses the specified file as the backing hive file (Filename.log) for it. The specified file is held open, but nothing is copied to the file unless the information in a key or value entry is changed. Likewise, the Unload Hive command does not copy or create anything; it merely unloads a loaded hive.

To unload a hive from Regedt32

Select the root (top) key of the hive you want to unload. From the Registry menu, click Unload Hive.

The connection is ended and the selected key is removed from Regedt32.

Note You cannot unload a hive that was loaded by the system. Also, you cannot unload a hive if an application has an open handle to any subkey in the hive. (A handle is a means for controlling access to objects in the system.) However, there is no way to detect whether an application has an open handle to a key.

If an attempt to use the Unload Hive command fails, close all applications not in immediate use and try again.

Saving and Restoring Keys

You can use Regedt32 or Regedit to save all or part of a Registry subtree to a file. This file can then be used to restore that Registry or the Registry of another computer by replacing a damaged key with the contents of the file. If you save the key to a file by using Regedt32, you can also load the file into Regedt32 on any computer to examine its contents or to edit it.

Regedt32 and Regedit save Registry keys in different formats and use different methods for restoring the Registry. Decide which tool you will use before beginning the process. You cannot save a key to a file with one tool and use the other tool to restore a Registry with that file.

Regedt32 saves Registry keys in a compressed format similar to that used by the system for its own hive files. You can load these files into Regedt32 on any computer to examine or edit them. You can also use Regedt32 to restore a damaged Registry key by replacing the damaged key with the contents of the saved file.

Regedit saves Registry keys to a text file with a .reg filename extension. You cannot view or edit the contents of a .reg file from within Regedit, but you can view the file contents in any text editor, such as Notepad. (You should not edit a .reg file unless you know the format.) You can also use Regedit to replace Registry keys with the contents of a .reg file by importing the file into the Registry.

The remainder of this section describes how to save and restore Registry keys by using Regedt32 and Regedit.

Using Regedt32 to Save and Restore Registry Keys

To save a Registry key and its subkeys to a hive file, use the Save Key command in Regedt32. You can then use the Load Hive command in Regedt32 to view and edit the file and use the Restore command to replace a Registry key with the file contents.

Note Do not confuse the hive files you create by using the Save Key command with the hive files created by the system for its own use. The system hive file of a remote computer, usually stored in Systemroot\System32\Config and Systemroot\Profiles, can be loaded or restored only while Windows NT is not running on that computer.

Changes in the Registry are saved automatically, whether you make changes by using a Registry editor or by changing settings in applications. The Save Key command is used specifically to save portions of the Registry as a file on disk.

To use the Save Key command, you need Backup permissions, which you have if you are logged on as a member of the Administrators group.

You can use the Save Key command on any key. However, you cannot save volatile keys. A volatile key is one that is created when the system starts and deleted when it stops. Some volatile keys have nonvolatile subkeys that can be saved. For example, the HKEY_LOCAL_MACHINE \Hardware key is volatile, but you can save the nonvolatile subkeys under that key. To view the entire Hardware key for debugging, save it in a text file by using the Save Subtree As command on the Registry menu, as described later in this chapter.

To save a Registry key by using Regedt32

Select the key that you want to save as a hive file on a disk.

From the Registry menu, click Save Key, then type a filename for the saved file in the Save Key dialog box.

Note When saving a hive file on a remote computer, use a path relative to the remote computer, not to the local computer. For example, if you are using your G: drive to connect to \\Text01\Public to save Hive.tst, enter \\Text01\Public\Hive.tst, not G:\Hive.tst. The G:\Hive.tst entry directs Regedt32 to save the file on the G: drive of the remote computer, not the G: drive of the local computer.

The selected key is now saved as a file. When you use the Load Hive command, you can select the filename for any files that you saved by using the Save Key command.

For example, as part of system maintenance, you use the Save Key command to save a key as a file. When the key that you saved is ready to be returned to the system, you use the Restore command.

You can use the Restore command to make a hive file a part of the system configuration by loading the data from the hive file into an existing key. The contents of the file overwrite and replace the contents of the Registry key, except for the key name.

To use the Restore command, you need Restore permissions, which you have if you are logged on as a member of the Administrators group.

To restore a key by using Regedt32

Select the key you want to restore from a hive file.

From the Registry menu, click Restore, then enter the name of the hive file from which data will be taken to overwrite the key.

Note When restoring a hive from a file on a remote computer, use a path relative to the remote computer, not to the local computer.

You cannot restore a key while the system is using it or any of its subkeys. For example, you cannot restore the SAM or Security keys because the system is always using these keys. The Restore command is used only for special conditions, such as to restore user profiles on a damaged system. To switch to a backup version of a hive, use Regrest.exe, a tool distributed on the Windows NT Workstation Resource Kit CD. For more information about Regrest, see Rktools.hlp, a Help file for tools on the Windows NT Workstation Resource Kit CD.

Using Regedit to Save Registry Keys

You can save Registry keys and their subkeys by using the Export Registry command in Regedit. This command saves a specific branch or the entire Registry in a text file with a .reg filename extension. Later, you can use the Import Registry command to rebuild a key or the entire Registry from an exported Registry file.

You can run Regedit from the Regedit window within Windows NT or from a command prompt. This section describes both methods.

To save a Registry key by using the Regedit window

From the Registry menu, click Export Registry File.

In the Export Range box of the Export Registry File dialog box, specify the part of the Registry you want to save.

Click All to save the entire Registry

– Or –

Click Selected Branch to save a subtree, key, or subkey.

The Selected Branch edit box displays the name of the Registry keys or subkeys that were selected when you clicked the command. You can save that key or type the name of any key over it. (Regedit saves the key you select and all of the subkeys and value entries it contains.)

Type a path and filename for the Registry file in the File name edit box, or navigate to a folder by using the Windows NT Explorer interface in the Export Registry File dialog box, then type a filename.

Regedit appends the .reg filename extension to the filename you enter.

Click Save to return to Regedit.

To save a Registry key by using Regedit from a command prompt.

Run Regedit from a command prompt to export Registry keys to .reg files. Use the following format:

regedit /eFilename.reg [Registry key]

The Registry key field is optional. The default is to export the entire Registry to a file.

Using Regedit to Restore Registry Keys

You can restore or replace a Registry key by importing a .reg file containing that key into the Registry. The contents of the Registry key are overwritten and replaced by the contents of the .reg file. If the Registry that is being restored is running on a computer that can still run Windows NT, use the Regedit window to restore the key. However, you can also run Regedit from the command prompt, if necessary.

Warning Use extreme caution in restoring keys. As with any Registry changes, an error can prevent Windows NT from loading and running, or prevent users from logging on to the system.

To restore a Registry key by using the Regedit window

From the Registry menu, click Import Registry File.

Locate the .reg file you are using to restore the Registry key, then click OK.

To restore a Registry key by using Regedit from a command prompt

If the Registry is damaged or if the system no longer starts, run Regedit from a command prompt to diagnose and correct the problem. From the command line, use Regedit commands to export, import, or create a Registry.

You can also import Registry keys to .reg files from a command prompt. Use the following format:

regedit /ifilename.reg

– Or –

regedit /cfilename.reg

The /i (import) switch is used to import .reg files that contain a part of the Registry. The Registry keys (and their contents) saved in the .reg file overwrite only the analogous keys in the Registry. Please note that this command does not have a field to specify a Registry key. All of the Registry keys (and their subkeys and values) saved in the .reg file overwrite the analogous keys in the Registry. You cannot specify that only a subset of the keys be replaced.

The /c (complete) switch assumes that the .reg file contains a copy of an entire Registry. The contents of the .reg file overwrite all keys in the Registry.

Caution Use the regedit /c command with extreme care, and only when you are sure that the .reg file specified contains a complete image of the Registry. The regedit /c command replaces the entire contents of the Registry.

Editing Registry Value Entries

Within the Registry, you can alter the value entries for a selected key or assign new value entries to keys. This section describes how to find keys and how to add, edit, or delete keys and value entries.

Finding a Key in the Registry

A Registry key might be in a different place in the tree structure of your computer's Registry than where it is described in this chapter, depending on whether a computer is running Windows NT Workstation or Windows NT Server, and on other factors as well.

You can search for a specific key name in the Registry tree. Key names appear in the left pane of the Registry Editor window. The search begins from the currently selected key. A search beginning from a predefined key searches all its descendent keys.

Each search is local to the subtree where the search begins. That is, if you search in the HKEY_LOCAL_MACHINE subtree window, the search does not include keys found under any other subtree.

To search for a key by using Regedt32

From the View menu, click Find Key.

In the Find What box of the Find Key dialog box, type the name of the key that you want to find.

If you want to restrict the scope of the search or define the search direction, select the Match Whole Word Only box, the Match Case option, or select Up or Down in the Direction box.

To see the next occurrence of the key name you specified, click Find Next.

Click Find.

Key names are not unique. To be sure you find the key you want, it's a good idea to search for additional occurrences of a specific key name.

Tip Some key names include spaces, underscores, or a continuous string (such as KeyboardPort/PointerPort). To ensure that you find the key you want, search for a portion of the name, and make sure that the Match Whole Word Only check box in the Find dialog box is cleared .

To find specific keys or value entries related to specific topics, you can also use Regentry.hlp, the Registry Help file on the Windows NT Workstation Resource Kit CD.

In Regedt32, you can search only for keys and subkeys of the Registry. Regedit, however, has an expanded search capability: you can search for value entries and values as well as keys and subkeys. In addition, you determine the level at which Regedit searches. This can expedite a search for a subkey by preventing Regedit from looking at every value entry.

To search for a key by using Regedt32

From the Edit menu, click Find.

In the Find dialog box, enter the name of the key, subkey, value entry, or value you want to find. Use the check boxes to limit or expand your search. Click OK.

To see the next occurrence of the entry, from the Edit menu, click Find Next or press F3.

Editing Values in the Registry

Each value entry in Registry Editor appears as a string that consists of three components, as shown in Figure 24.2.

Figure 24.2 The three components of a value entry

The following rules govern the content of these three value entry components:

The name of the value is a string of up to 16,000 Unicode characters (32K). This name can contain backslash (\) characters. The name itself can be null (that is, " ").

The data type of the value is REG_BINARY, REG_DWORD, REG_EXPAND_SZ, REG_MULTI_SZ, or REG_SZ. Other data types can be defined by programs, but Registry Editor edits values of these types only. For more information about the value types, see "Value Entries for Registry Keys" in Chapter 23, "Overview of the Windows NT Registry."

The value in a value entry can be data of a size up to 1 MB in any datatype except REG_DWORD, including arbitrary strings and raw binary data. However, to be efficient, values larger than 2048 bytes should be stored as files, with the filenames stored in the Registry.

The Registry preserves case as you type it for any entry but ignores case in evaluating the data. However, the data is defined by specific applications (or users), so applications that use the data might be case sensitive, depending on how the program that uses it treats the data.

To edit a value by using Regedt32 or Regedit

In the right pane of the Registry Editor window, double-click the value entry.

– Or –

In Regedt32, from the Edit menu, click String, Binary, DWORD, or Multi String as appropriate for the selected value. In Regedit, from the Edit menu, click Modify.

Edit the value that appears in the related Editor dialog box, then click OK.

The Binary and DWORD options in Regedt32 let you select the base of the number system you use to edit your data. In the Binary editor, you can edit your data as binary (base 2) or hexadecimal (hex—base 16). In the DWORD editor, you can edit your data in binary, hex, or decimal (base 10). Hex is the default base for both editors. The right pane of the Registry Editor always displays these types of data in hex.

Tip To view numbers in decimal format, double-click the value entry and select the Decimal format option. Cancel the dialog box when you finish checking the value.

Information stored in a nonvolatile key remains in the Registry until you delete it. Information stored in a volatile key is discarded when you shut down the system. However, volatile keys can contain nonvolatile subkeys and nonvolatile keys can contain volatile subkeys. For example, the HKEY_LOCAL_MACHINE Hardware key is volatile, but many of its subkeys are nonvolatile.

Note As your Registry grows in size, eventually you might want to set a larger value for RegistrySizeLimit. For more information, see "Registry Size Limit" in Chapter 23, "Overview of the Windows NT Registry."

Adding a Key

You can add a key to store data in the Registry. For example, you can add a subkey under CurrentControlSet\Services to start a service process you have written or to install a device driver that doesn't have an installation program.

To do this, you must have Create Subkey access permission for the key under which you are adding a subkey, as described in "Assigning Access Rights to Registry Keys," later in this chapter.

To add a key to the Registry by using Regedt32

Select the key or subkey under which you want the new key to appear.

From the Edit menu, click Add Key or press the INS key.

In the Key Name box of the Add Key dialog box, type the name that you want to assign to your key.

The key name cannot contain a backslash (\), and it must be unique in relation to other subkeys at the same level in the hierarchy. That is, Key1 and Key2 can each have a subkey named Key3, but Key1 cannot have two subkeys named Key3.

Leave the Class box blank. This box is reserved for a future use.

Click OK to display the new key in the Registry Editor window.

To add a key to the Registry with Regedit

Select the key or subkey under which you want the new key to appear.

From the Edit menu, click New, then click Key. A new folder appears under the selected key, with the name of the folder selected so that you can edit it.

Type a name for the key and press ENTER.

Adding a Value Entry to a Registry Key

You can use the Registry editors to assign a new value entry to a key or edit the value entry of an existing key. When you do this, the value that you add appears in the data pane of the selected Registry window.

To determine value entries you might add, see the tuning and troubleshooting information in Regentry.hlp, which is included in the Windows NT Workstation Resource Kit CD.

To add a value entry to a Registry key by using Regedt32

Select the subkey to which you want to add a value entry.

From the Edit menu, click Add Value.

Tip To quickly open the Add Value dialog box, switch to the right pane by using the TAB key or the mouse, then press the INS key.

In the Add Value dialog box, type the name you want to assign to the new value entry.

In the Data Type box, select the type that you want to assign to the value entry.

The data types are described in "Value Entries in the Registry Keys" in Chapter 23, "Overview of the Windows NT Registry."

Click OK, then type the value in the String Editor dialog box. Click OK again to display the new entry in the Registry Editor window.

To add a value entry to a Registry key by using Regedit

Select the subkey to which you want to add a value entry.

From the Edit menu, click New, then click String Value, Binary Value, or DWORD Value depending upon the data type of the value you are adding.

The new value entry appears in the right panel with the name of the value entry selected so you can edit it.

Type a name for the value entry.

To edit the value, double-click the value entry, then edit the value in the Valuedata box of the Datatype Editor dialog box, then click OK.

Deleting a Key or a Value Entry

To remove selected keys or value entries from the Registry, you can use the Delete command from the Edit menu or you can press the DELETE key. However, you cannot delete any of the predefined subtrees or change the name of a key.

Caution There is no Undo command for deletions. Registry Editor prompts you to confirm the deletions if Confirm On Delete is selected from the Options menu. When you delete a key, the message does not include the name of the key you are deleting. Check your selection carefully before proceeding. To recover a subkey of HKEY_LOCAL_MACHINE \System \CurrentControlSet, restart the computer. Press the spacebar immediately when you see the message Press spacebar now to invoke Hardware Profile/Last Known Good Menu.

In Regedt32, you can protect the Registry from accidental deletions by using the following methods:

Protect data through read-only mode.

From the Options menu, select Read Only Mode. When this option is selected, Regedt32 does not save any changes. This protects the data from accidental changes.

Protect data through confirmation.

From the Options menu, select Confirm On Delete. When this option is selected, Regedt32 prompts you to confirm deletion of any key or value.

Maintaining the Registry

Windows NT enforces access control on Registry files, so it is difficult for users to accidentally or intentionally damage or delete hives on a running system. While the system is running, hive files are reserved by the system for exclusive access on all file systems. If the Windows NT Systemroot is not on an NTFS volume, the Registry can be tampered with—specifically, users can remove keys for user profiles that are not currently loaded. With NTFS, such tampering can be prevented.

You should plan how to protect the Registry for each computer at your site that runs Windows NT. This section describes how to ensure that you will have working Registry files under most conditions.

For more details about how to ensure recoverability under all conditions, see "Making Sure the System Always Starts" in Chapter 25, "Configuration Management and the Registry."

Maintaining Registry Security

Do not allow a user to log on as a member of the Administrators group unless that individual has specific administrative duties.

You can also opt not to put Regedt32.exe on workstations, because you can easily administer any workstation from a remote computer. And you can place access controls on Regedt32.exe in Windows NT Explorer, which limits the rights of users to start this program.

This section describes the additional steps you can take to protect the Registry:

Protect Registry files.

Assign access rights to Registry keys.

Audit Registry activities.

Protecting Registry Files for User Profiles

You can protect the user profiles in the Registry in the same way that you protect other files in Windows NT—by restricting access through Windows NT Explorer. If the files are stored on an NTFS volume, you can use the security features of Windows NT Explorer to assign permissions for the Registry files or Registry editors. From the File menu, click Properties, then click the Security tab. For details about using these commands, see the Windows NT Explorer Help.

Caution You should change permissions for user profiles only. The permissions for other Registry keys are maintained automatically by the system and should not be changed.

For information about safeguarding files with backups, see "Backing Up and Restoring Registry Hives," later in this chapter.

Assigning Access Rights to Registry Keys

To determine who has access to specific Registry data, set permissions on the Registry keys to specify the users and groups that can have access to that key. (This is sometimes called changing ACLs, in reference to the access control lists that govern who has access to data.) You can also add names to or remove names from the list of users or groups authorized to access the Registry keys.

You can assign access rights to Registry keys regardless of the type of file system on the partition where the Windows NT files are stored.

Caution Changing the permissions to limit access to a Registry key can have severe consequences. If, for example, you set No Access permissions on a key needed for configuration by the Network option in Control Panel, the application will fail.

At a minimum, give Administrators and the System full access to the key, thus ensuring that the system starts and that the Registry key can be repaired by an administrator.

If you change permissions on a Registry key, you should audit that key for failed access attempts. For details, see "Auditing Registry Activities," later in this chapter.

Because assigning permissions on specific keys can have serious consequences, you should reserve this action for keys that you add to accommodate custom applications or other custom settings. After you change permissions on a Registry key, be sure to turn on auditing in User Manager, and then test the system extensively through a variety of activities while logged on under different user and administrative accounts.

In Regedt32, the commands on the Security menu for assigning permission and ownership of keys work in the same way as similar commands for NTFS partitions in Windows NT Explorer for assigning access rights for files and directories. For details about these commands, see help for the Registry editor.

To assign permissions on a key

Make a backup copy of the Registry key before making changes.

Select the key for which you want to assign access permission. Then, from the Security menu, click Permissions.

In the Registry Key Permissions dialog box, assign an access level to the selected key by selecting an option in the Type of Access box as described in the following table, and then click OK.

Type of access

Meaning

Read

Allows users on the Permissions list to read the key's contents, but prevents changes from being saved.

Full Control

Allows users on the Permissions list to access, edit, or take ownership of the selected key.

Special Access

Allows users on the Permissions list some custom combination of access and edit permission for the selected key. For a description of the Special Access types, see "Auditing Registry Activities," later in this chapter.

Turn on auditing in User Manager (in Windows NT Workstation) or User Manager for Domains (in Windows NT Server), and then test the system extensively to ensure that the new access control does not interfere with system or application operations.

As a system administrator, you might need to take ownership of a key to protect access to that key. To take ownership of a Registry key, click Owner on the Security menu, then complete the Ownership dialog box. You add users or groups to the Permissions list by following the same procedure for managing lists of users and groups as you use throughout Windows NT.

You (or any user) can take ownership of any Registry key if you log on to the computer as a member of the Administrator group. However, if an Administrator takes ownership of a key without being assigned full control by its owner, the key cannot be given back to its original owner, and the event is audited.

Auditing Registry Activities

To audit Registry activities, you must complete these separate activities:

Turn on auditing and set the audit policies in User Manager or User Manager for Domains for the activities you want to audit.

Specify the groups and users whose activities you want to audit for selected keys by using the Auditing command in Registry Editor.

View the Security log in Event Viewer for a selected computer to see the results of auditing.

For each of these activities, you must be logged on as a member of the Administrators group for the specific computer you are auditing. Auditing policies are set on a per-computer basis. Before you can audit activities in Registry keys, you must turn on security auditing for the computer.

To turn on auditing

In User Manager or User Manager for Domains, from the Policies menu, click Audit. Select the Audit These Events option to turn on auditing.

Select Success and Failure options for each type of event to be audited, then click OK.

Note At a minimum, you should select the Failure option for File And Object Access. Selecting Success for many items can produce a large number of meaningless entries in the event log.

You can audit actions for a specific Registry key. For example, you can audit:

Keys where you want to know about changes being made by users or applications.

Keys you added that you want to test.

To audit user actions for a selected Registry key

From the Security menu in Registry Editor, click Auditing, then complete the dialog box.

This command in Registry Editor is similar to the Auditing command in Windows NT Explorer.

Select the Success or Failure option for the following activities:

Audit option

Audits events that attempt to

Query Value

Open a key with Query Value access.

Set Value

Open a key with Set Value access.

Create Subkey

Open a key with Create Value access.

Enumerate Subkeys

Open a key with Enumerate Subkeys access (that is, events that try to find the subkeys of a key).

Notify

Open a key with Notify access.

Create Link

Open a key with Create Link access.

Delete

Delete the key.

Write DAC

Determine who has access to the key.

Read Control

Find the owner of a key.

To view the results of auditing

Run Event Viewer, select the computer that you are interested in, then click Security on the Log menu.

Note If you change permissions for any Registry key, you should turn on Auditing in User Manager and specify the Failure auditing option for File And Object Access. Then, if any application is not working because of changes in permissions, you can check the Security event log for details.

Backing Up and Restoring Registry Hives

You might need to restore backed-up versions of Registry hives. This can occur, for example, when a new computer replaces an old one, when a disk controller or hard disk becomes corrupted, or when an electrical failure erases large parts of a disk. This section describes how to back up and restore Registry hives.

How this restoration is done depends on what hardware is available and what file system is in use. You can, of course, restore only what you have backed up.

Important Back up all important files, including system files, frequently and consistently.

Your regular backup routine should include using Disk Administrator to create an uncompressed backup of the System hive. (In Disk Administrator, from the Partition menu, click Configuration, then click Save.) Also, the Emergency Repair Disk includes a compressed version of the System hive. For details, see Disk Administrator Help, and Chapter 20 of this book, "Preparing for and Performing Recovery."

Backing Up Registry Hives

You can make a Registry hive backup in one of four ways:

Use a tape drive and the Windows NT Backup program. To automatically include a copy of the local Registry files in the backup set, select the Backup Local Registry option in the Backup Information dialog box. This is the preferred method for creating backups if you have a tape drive.

If you do not have a tape drive, use a utility that backs up the Registry, such as the Repair Disk Utility (Rdisk.exe), which is automatically installed when you install Windows NT. You can also use Regback.exe, a tool included on the Windows NT Workstation Resource Kit CD. For more information, see Repair Disk Utility Help or Rktools.hlp on the Windows NT Workstation Resource Kit CD.

Use a different operating system to start the computer. Then copy all files in the Systemroot\System32\Config directory to a safe backup location. For example, use another instance of Windows NT if the Registry is stored on an NTFS partition, or use MS-DOS if the Registry is stored on a FAT partition.

In Regedt32, use the Save Key command, which backs up Registry keys manually.

For each key immediately below HKEY_LOCAL_MACHINE and HKEY_USERS, click the key, and then, from the Registry menu, click Save Key. Choose filenames that match the key names. For example, save the System key to \Backdir\System.

Note Volatile subkeys, that is, those created each time the system starts and deleted when it stops, cannot be saved. However, you can save the nonvolatile subkeys of volatile keys. For example, although the HKEY_LOCAL_MACHINE \Hardware key is volatile, you can save nonvolatile subkeys under that key.

Restoring Hives from Backup Files

If you have a good set of backup files, which you update regularly, you can restore Registry hives that are damaged or missing.

But you cannot use Registry Editor to fully restore hives, because you must use the ReplaceKey operation to restore active parts of the Registry. Registry Editor cannot perform this operation.

To restore a damaged system, you must first restore the basic operating system installation. To do this, you can use the Emergency Repair Disk to restore your system to its postinstallation status, or you can simply run Windows NT Setup again. If you rerun Setup, the system starts the computer but lacks changes made since you first set it up. You can recover most of those changes if you copy files from backups by using the Windows NT Backup program for tape backups or by copying from disk backups.

Tip To update the Emergency Repair Disk after making changes that affect the Registry, use the Repair Disk Utility (Rdisk.exe), a tool included in Windows NT. If you use the rdiskcommand alone (no switches), it backs up the System and Software hives only. If you use rdisk /s, it backs up the SAM and Security hives as well. However, if the system includes many user accounts, the file might be too large to fit on the single floppy disk required for the Emergency Repair Disk update process.

However, you cannot merely copy the backups of Registry hive files, because those files are protected while Windows NT is running. So, after the system and all of the additional files such as device drivers are restored, you must restore the Registry. You can do this in one of the following ways, depending on which backup mechanism you used:

For tape backups, you can use Windows NT Restore to restore the Registry.

Start the computer by using an alternative instance of the operating system (or using MS-DOS if the system files are on a FAT partition). Copy the files to the Systemroot\System32\Config directory. Then restart the computer by using the regular operating system.

Use Regrest.exe, a tool included on the Windows NT Workstation Resource Kit CD. Regrest replaces the default files installed by Windows NT Setup with data from backup files, and saves the default files under other filenames. To see the restored Registry, restart the computer after running Regrest.

Compacting Registry Data

The memory used for the Registry is approximately equal to the size of a hive when it is loaded into memory. Hives vary in size on disk from 20K to more than 500K. The amount of space used depends chiefly on how many local user profiles are retained and how much information is stored in each profile.

You should remove unused or out-of-date user profiles from a computer by using the Delete User Profiles command in Windows NT Setup. (The Setup program protects you from deleting the profile for the currently logged on user.)

You can use the Save Key command to save a user hive, and then use the Restore command so you can use this smaller hive. How much space you gain depends on how much was stored in various user profiles.

This procedure is useful only for user profiles, not for the SAM, Security, Software, or System hives.

Viewing and Printing Registry Data as Text

You can examine the contents of a Registry key as text for troubleshooting. You can save a key as a text file, and you can print data from Registry Editor, including a key, its subkeys, and all of the value entries of all of its subkeys.

The Save Subtree As command on the Registry menu in Regedt32 also works for the HKEY_LOCAL_MACHINE \Hardware key, which you cannot otherwise save in its entirety as a hive file.

To save a Registry key as a text file

In Regedt32, select the key you want to save as a text file. From the Registry menu, click Save Subtree As. Use the Save As dialog box to navigate to the subdirectory of your choice, type a filename, and then click OK. .

In Regedit, from the Registry menu, click Print, then click the Print To File check box, and click OK. In the Print To File dialog box, type a path and filename for the text file.

To print a Registry key

In Regedt32, select the key or subkey you want to print. Then, from the Registry menu, click Print Subtree. Printing begins immediately. (Print options must be set in advance by clicking Printer Setup on the Registry menu.)

In Regedit, from the Registry menu, click Print. In the Print dialog box, select an option under Print Range. The All option prints the entire Registry. The Selected branch option prints a specified path in the Registry. (If you click a key or subkey before clicking Print, its path appears in the Selected branch box, but you can type a path as well.) Click OK.

Table 24.3 summarizes the tools on the Windows NT Workstation Resource Kit CD that you can use to administer the Registry. For details about these and other utilities provided with the Windows NT Resource Kit, see Rktools.hlp on the Windows NT Workstation Resource Kit CD.